Search

Find a vulnerability

Search criteria

    Related vulnerabilities

    GHSA-WF69-R4MX-43RR

    Vulnerability from github – Published: 2026-06-22 19:54 – Updated: 2026-06-22 19:54
    VLAI
    Summary
    AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
    Details

    Vulnerability Details

    CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

    The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:

    volumes:
  - "./:/var/www/html/AVideo"

    This causes the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.

    Exposed Information

    An unauthenticated request to GET /.env returns:

    DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16

    Steps to Reproduce

    Prerequisites

    • AVideo deployed using the official docker-compose.yml
    • No modifications to the default configuration

    Steps

    1. Deploy AVideo using docker compose up -d
    2. Send: curl http://target/.env
    3. The full .env file contents are returned, including database credentials and admin password

    Impact

    • Attacker: Unauthenticated (any remote user)
    • Victim: AVideo server and database
    • Specific damage: Attacker obtains database credentials (DB_MYSQL_USER, DB_MYSQL_PASSWORD), admin password (SYSTEM_ADMIN_PASSWORD), and internal network topology (NETWORK_SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

    Proposed Fix

    Add a .htaccess rule to block access to dotfiles:

    # Block access to hidden files (.env, .git, etc.)
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

    Or configure Apache to deny dotfile access in the virtual host configuration.

    Severity
    7.5 (High)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    Show details on source website
    To clipboard 

    {
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T19:54:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Vulnerability Details\n\n**CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory\n\nThe official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root:\n\n```yaml\nvolumes:\n  - \"./:/var/www/html/AVideo\"\n```\n\nThis causes the `.env` file \u2014 which contains database credentials, admin passwords, and infrastructure configuration \u2014 to be served as a static file at `/.env`. No `.htaccess` rule or Apache configuration blocks access to dotfiles.\n\n### Exposed Information\n\nAn unauthenticated request to `GET /.env` returns:\n\n```\nDB_MYSQL_HOST=database\nDB_MYSQL_USER=avideo\nDB_MYSQL_PASSWORD=avideo\nSYSTEM_ADMIN_PASSWORD=admin123\nTLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt\nTLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key\nNETWORK_SUBNET=172.30.0.0/16\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- AVideo deployed using the official `docker-compose.yml`\n- No modifications to the default configuration\n\n### Steps\n1. Deploy AVideo using `docker compose up -d`\n2. Send: `curl http://target/.env`\n3. The full `.env` file contents are returned, including database credentials and admin password\n\n## Impact\n\n- **Attacker**: Unauthenticated (any remote user)\n- **Victim**: AVideo server and database\n- **Specific damage**: Attacker obtains database credentials (`DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`), admin password (`SYSTEM_ADMIN_PASSWORD`), and internal network topology (`NETWORK_SUBNET`). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.\n\n## Proposed Fix\n\nAdd a `.htaccess` rule to block access to dotfiles:\n\n```apache\n# Block access to hidden files (.env, .git, etc.)\n\u003cFilesMatch \"^\\.\"\u003e\n    Order Allow,Deny\n    Deny from all\n\u003c/FilesMatch\u003e\n```\n\nOr configure Apache to deny dotfile access in the virtual host configuration.",
  "id": "GHSA-wf69-r4mx-43rr",
  "modified": "2026-06-22T19:54:15Z",
  "published": "2026-06-22T19:54:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wf69-r4mx-43rr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/7f418de1a95ab87bb8c8c3eb3702d71c351e098d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration"
}